…requires more than just good programming.

Category Archives: malware

This book is an interesting and disturbing glimpse into the world of cyber-crime, particularly online credit card fraud (‘carding’). It also touches on related areas, such as cyber-warfare. It is written by a journalist, so don’t expect much in the way of technical details. But, if you can get past the tacky cover artwork and dubious sub-title (‘how hackers became the new Mafia’), it is a fascinating read.

The story mainly centres around the eponymous ‘DarkMarket’, a forum in which cyber-criminals conducted their murky business. For example buying and selling stolen credit card numbers. The story of DarkMarket is known in some detail, as it was infiltrated by various government agencies and some of its key players brought to trial.

There are lots of different characters mentioned in the book, many of whom have non-English names and online aliases. This makes the story quite hard to follow. Perhaps that is inevitable given that it is a story about deception and duplicity involving many people. Nevertheless, it still provides lots of interesting insights into this dark underbelly of the Net.

Online fraud is a cooperative effort. For example, some people specialize in stealing credit card numbers, others in selling credit card skimming devices and still others in employing armies of ‘mules’ to make withdrawals from ATMs (the riskiest part of the operation). But criminals are hardly likely to trust other criminals they have never met. Especially given that some criminals (‘rippers’) specialize in ripping-off other criminals. This is where forums such as DarkMarket come in. They act as a trusted third party, providing escrow and other services to cyber-criminals. The backgrounds and motivations of the cyber-criminals seems to vary considerably. Some start off as curious hackers withot any criminal intent, but turn to the ‘dark side’, often in small increments. Often such people seem to be motivated by status and reputation more than money. Others are simply in it for the easy money.

There are many ways in which your credit card details can be stolen. For example, you hand your card to a petrol station employee. The employee quickly swipes your card through a hidden credit card skimmer before swiping it through the legitimate device (they might pretend they have dropped something behind the counter to disguise this). A small camera hidden in the ceiling records you typing your pin. The criminal has a copy of your credit card and your pin number. These can now be sold on, perhaps through a forum such as DarkMarket, to other criminals who specialize in extracting the money. They will then clone your card and instruct their ‘mules’ to extract the money from an ATM and pay it into another account, keeping a percentage for their trouble. Some of the ‘work from home’ and ‘I made £2000 in a week’ ads you see in spam emails and attached to lampposts may be from cyber-criminals trying to recruit ‘mules’ for this purpose. Sometimes the criminals will withdraw small amounts over a long period as this is less likely to be noticed than one big withdrawal.

Cyber-crime is difficult to prosecute. It is hard to establish the real identity of the criminals and the they are often based in a different legal jurisdiction to the victim. The security services have infiltrated many cyber-criminal forums. The DarkMarket server was eventually being run by an under-cover FBI agent. However even security services from the same country (e.g. the FBI and Secret Service in the US) don’t seem to be able to play nicely together and end up investigating each others agents and informants and generally tripping over each other. The author believes that the Russian security services has infiltrated many of the Russian-speaking cyber-crime forums, but have no interest in shutting them down as long as they are careful never to steal from other Russians. The banks also aren’t keen to cooperate in investigations. You and I are ultimately paying for the fraud through our credit card fees. As long as the banks are making lots of money they don’t want to upset the apple cart by revealing the scale of the fraud. It might affect their bonuses.

So don’t expect cyber-crime to go away any time soon. But do stay away from dodgy websites, keep your credit card in sight at all times, cover the keypad with one hand while you type in your PIN with the other and check your statements!

Are you just one click away from disaster? The following post on ASP forums woke me out of my complacency (reproduced with the author’s kind permission):

It happened to me today with FireFox 3.

While searching Google for some information on a movie I watched recently (wasting time, more or less), I clicked on a link that I thought was to IMDB. I only glanced at it in the Google search results before I clicked on it. As soon as the page loaded the browser closed, my desktop background was changed and some sort of fake scanner window showed up. Then I saw desktop icons appear. Then a BSOD, or so I thought.

It turns out it was a pretty common piece of malware called Smitfraud combined with a fake AV malware software called “AntiVirus XP 2008”. They kept asking me to register the software in order to clean the 2700+ virus that it found during its “scan”. The BSOD was a cleverly designed screen saver, I assume designed to make a user reboot without trying any real scanner software.

Luckily I use Acronis TrueImage to do incremental backups every night so restoring to what I had at 4AM this morning only took about an hour but it really woke me up. I had disabled the Avast resident scanner a few days ago thinking that I didn’t need it – I mean, I don’t download random EXE files from the net, I don’t visit “bad” sites and I don’t use any p2p file sharing network so I’m safe – right? WRONG! Talk about a humbling experience. Here I am, an uber nerd, and I just had my entire system hosed in about 4 seconds by visiting a website. If I weren’t obsessed with backups and redundancy I could have lost the source code to all of my software or worse, allowed some cracker kid to install a rootkit and gain access to my desktop on demand. Talk about a nightmare!

I can only assume I ran into a site exploiting some new QuickTime or Flash vulnerability. I definitely didn’t download and run anything from the website – I only clicked the link from Google.

If I could remember the site I would try to return to it in a VM with an anti-virus software enabled to see if it could catch it before bad things happened. I can only hope that my huge mistake of not turning my AV software’s resident scanner was the main thing that allowed the software to be installed.

I’ve since started using OpenDNS.org, set Acronis to do incremental updates twice a day, enabled Avast’s resident scanner and installed the Teatimer program from Spybot Search & Destroy. Oh, and I uninstalled Flash and QuickTime just in case (though I checked and I had the most recent versions of both!).

The responses included several suggestions to use the ‘Noscript’ add-on for FireFox. I have been trying it for a few days. It is slightly annoying to keep on having to OK scripts on trusted sites. But that seems a price worth paying. And don’t forget to do your back-ups.

Virus Total is a free service that gives you aggregate results from 36 different malware scanners. Just browse to the file you want to check on your PC and click ‘Send file’. It will quickly return the results of all the scans, hash sizes and a list of Windows system calls that the software makes.

This is a great resource for checking software you are about to install doesn’t contain malware. It is also useful for checking that your own download files haven’t been tampered with and don’t trigger false positives. Note that some software protection systems have been known to trigger false positives from malware scanners.